ID CVE-2006-5878 Type cve Reporter NVD Modified 2017-07-19T21:34:03
Description
Cross-site request forgery (CSRF) vulnerability in Edgewall Trac 0.10 and earlier allows remote attackers to perform unauthorized actions as other users via unknown vectors.
{"result": {"openvas": [{"id": "OPENVAS:57582", "type": "openvas", "title": "Debian Security Advisory DSA 1209-2 (trac)", "description": "The remote host is missing an update to trac\nannounced via advisory DSA 1209-2.\n\nThe Trac update in DSA 1209 introduced a regression. This update corrects\nthis flaw. For completeness, the original advisory text below:\n\nIt was discovered that Trac, a wiki and issue tracking system for\nsoftware development projects, performs insufficient validation against\ncross-site request forgery, which might lead to an attacker being able\nto perform manipulation of a Trac site with the privileges of the\nattacked Trac user.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=57582", "cvelist": ["CVE-2006-5878"], "lastseen": "2017-07-24T12:50:13"}, {"id": "OPENVAS:57580", "type": "openvas", "title": "Debian Security Advisory DSA 1209-1 (trac)", "description": "The remote host is missing an update to trac\nannounced via advisory DSA 1209-1.\n\nIt was discovered that Trac, a wiki and issue tracking system for\nsoftware development projects, performs insufficient validation against\ncross-site request forgery, which might lead to an attacker being able\nto perform manipulation of a Trac site with the privileges of the\nattacked Trac user.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=57580", "cvelist": ["CVE-2006-5878"], "lastseen": "2017-07-24T12:50:20"}, {"id": "OPENVAS:57953", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200612-14 (trac)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200612-14.", "published": "2008-09-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=57953", "cvelist": ["CVE-2006-5878"], "lastseen": "2017-07-24T12:50:19"}], "nessus": [{"id": "GENTOO_GLSA-200612-14.NASL", "type": "nessus", "title": "GLSA-200612-14 : Trac: Cross-site request forgery", "description": "The remote host is affected by the vulnerability described in GLSA-200612-14 (Trac: Cross-site request forgery)\n\n Trac allows users to perform certain tasks via HTTP requests without performing correct validation on those requests.\n Impact :\n\n An attacker could entice an authenticated user to browse to a specially crafted URL, allowing the attacker to execute actions in the Trac instance as if they were the user.\n Workaround :\n\n There is no known workaround at this time.", "published": "2006-12-14T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=23866", "cvelist": ["CVE-2006-5878"], "lastseen": "2017-10-29T13:43:33"}], "osvdb": [{"id": "OSVDB:30129", "type": "osvdb", "title": "Trac Unspecified CSRF", "description": "## Solution Description\nUpgrade to version 0.10.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\nVendor Specific News/Changelog Entry: http://trac.edgewall.org/ticket/4049\n[Vendor Specific Advisory URL](http://www.us.debian.org/security/2006/dsa-1209)\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200612-14.xml)\n[Secunia Advisory ID:22868](https://secuniaresearch.flexerasoftware.com/advisories/22868/)\n[Secunia Advisory ID:22789](https://secuniaresearch.flexerasoftware.com/advisories/22789/)\n[Secunia Advisory ID:23357](https://secuniaresearch.flexerasoftware.com/advisories/23357/)\n[CVE-2006-5848](https://vulners.com/cve/CVE-2006-5848)\n[CVE-2006-5878](https://vulners.com/cve/CVE-2006-5878)\n", "published": "2006-11-01T10:48:47", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:30129", "cvelist": ["CVE-2006-5848", "CVE-2006-5878"], "lastseen": "2017-04-28T13:20:26"}], "gentoo": [{"id": "GLSA-200612-14", "type": "gentoo", "title": "Trac: Cross-site request forgery", "description": "### Background\n\nTrac is a wiki and issue tracking system for software development projects. \n\n### Description\n\nTrac allows users to perform certain tasks via HTTP requests without performing correct validation on those requests. \n\n### Impact\n\nAn attacker could entice an authenticated user to browse to a specially crafted URL, allowing the attacker to execute actions in the Trac instance as if they were the user. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Trac users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-apps/trac-0.10.1\"", "published": "2006-12-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/200612-14", "cvelist": ["CVE-2006-5848", "CVE-2006-5878"], "lastseen": "2016-09-06T19:47:01"}]}}
